How should I fix zizmor audits?

[baggiponte]

Hello there! I think zizmor is potentially quite useful but, unlike other tools I use like ruff, I hardly know what fix I need to make. See:

info[template-injection]: code injection via template expansion
  --> ./.github/workflows/pages.yaml:55:9
   |
55 |         - name: Build with Hugo
   |           --------------------- info: this step
56 |           env:
...
59 |             HUGO_ENV: production
60 | /         run: |
61 | |           hugo \
62 | |             --gc \
63 | |             --minify \
64 | |             --baseURL="${{ steps.pages.outputs.base_url }}/"
   | |____________________________________________________________- info: steps.pages.outputs.base_url may expand into attacker-controllable code
   |
   = note: audit confidence → Low

How should I fix this?

If you it would be too much of a hassle to just add the suggestions, I think it would still be cool to print out the URL to the docs.

[woodruffw]

Hi @baggiponte, thanks for opening a discussion!

There are a few different parts here:

1. Each audit has remediations documented in a sub-section of the audit docs. For template-injection for example, the remediation is documented here: https://docs.zizmor.sh/audits/#remediation_18

   Specifically, to answer your question: in your case you would replace ${{ steps.pages.outputs.base_url }} with an environment variable, e.g.:

- name: Build with Hugo
  env:
    HUGO_ENV: production
    BASE_URL: ${{ steps.pages.outputs.base_url}}
  run: |
    hugo ... --baseURL="${BASE_URL}/"

2. I think it would still be cool to print out the URL to the docs.

   This is printed out, although the fact that people miss it suggests that I've been too clever/subtle with it 😅 -- the audit ID in each finding is actually a clickable OSC 8 URL, which will take you to the docs URL for that finding if you click on it.

   For example, in my IDE's terminal, the audit ID gets visually underlined to indicate that it's a clickable URL:

   

   It looks like other terminals (e.g. Ghostty) don't do that visual underline however, so I can see why this would be confusing. I'll look at adding the docs URL as a separate tip/hint element for easier access.

3. Finally, in the near-ish future, zizmor will gain a --fix mode that should be able to auto-fix many of these findings. That's still a work in progress, but it should behave a lot like ruff's --fix in that it'll "just work" without users having to interpret the remediation guides 🙂

[baggiponte]

Ciao @woodruffw, thank you very much for the thorough reply! Indeed, the docs are super thorough. I totally missed that it was a clickable url (man, you did really think of everything! 😱). You did also snipe I'm on ghostty. Looking forward to the future --fix flag.

[woodruffw]

No problem, thanks for filing a discussion!